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REMARKS 



By this amendment, Applicants have made corrections to the drawings and the specification 
and have added new claims 44-1 14. The amendments to the drawings and the specification add no 
new matter and have been previously approved by the Examiner in the connection with the 
applications from which the present application claims priority. More particularly, in the drawings, 
Applicants have amended FIG. 2 to show an interconnection between the switching link 230 and the 
backbone module (BM) 220. No new matter has been added in FIG. 2 since the interconnection 
between link 230 and BM 220 is disclosed on page 8, lines 19 through 22, of the specification. 
Applicants have amended FIG. 6 to correct a reference numeral and have amended FIG. 10 to add 
"Y" below step 1005 to indicate a decision. No new matter has been added to FIG. 10, as the 
insertion of "Y" is disclosed in lines 5 through 7 on page 23 of the specification. 

In the specification, Applicants have added a section cross-referencing related applications 
to add the number of the issued U.S. patent corresponding to the application from which the present 
application claims priority. Applicants have also deleted a reference in the specification to an issued 
patent and an application that merely provides one or two examples of the wide variety of protocols 
known by those of ordinary skill in the art. The remaining changes of the word "connectivity" to 
"communicability," which were made and approved in the applications from which the present 
application claims priority, are also made here for consistency. 

Based on the foregoing, Applicants respectfully request entry of the present amendment and 
examination and allowance of this application. 

Attached hereto is a marked-up version of the changes made to the specification and claims 
by the current amendment. The attached page is captioned " Version with markings to show 
changes made .'' 



Respectfully submitted, 



CHRISTIE, PARKER & HALE, LLP 




Art Hasan 
Reg. No. 41,057 
626/795-9900 
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VERSION WITH MARKINGS TO SHOW CHANGES MADE 

FIELD OF THE INVENTION 

The present invention relates to regulating connectivity to and communicaMlitv ^ within 
communication networks. More specifically, the present invention relates to authenticating and 
establishing personalized network connectivity for local users of institutional communication 
networks. 

BACKGROUND OF THE INVENTION 
% t Institutions are relying increasingly on their data communication network infrastructures for* 

£p efficient communication and data transfer. With this increasing reliance on network computing has 

ff ' ' ' 

£ arisen a significant need for mechanisms to [ r egulateconnectivity] regulate connectivity to and 

yj 

W communicabilitv within such networks. This need has been partially filled by interact protocol (IP) 
% firewalls. IP firewalls typically restrict access to fixed sets of network resources by applying a set 
l£ of protocol level filters on a packet-by-packet basis or by requiring prospective users to become 
M* authenticated before gaining access to the resources. Authentication has generally required users to 
supply certain signature information, such as a password. While this requirement of signature 
information has reduced the risk of unauthorized access to firewall-protected resources, firewalls 
have proven an imperfect and inflexible regulatory solution. Because firewalls are protocol-specific, 
firewalls have not provided a means for regulating network connectivity in a multi-protocol 
environment. Moreover, because firewalls regulate access to particular network resources, they have 
failed to provide a means for regulating access to sets of network resources which can vary as a 
function of user identity. 
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Accordingly, there is a need for comprehensive services for regulating [connectivity] 
communicabilitv in institutional networks which are not subject to the inflexibility of conventional 
user log-in mechanisms or the lack of consideration for user identity of ^conventional VLAN 
assignment techniques, [authenticate local use r s of institutional connectivity.] There is also a need 
for services which authenticate local users of institutional networks before establishing network 
communicabilitv. There is a further need for user authentication services which provide collateral 
functionality, such as the ability to dynamically track the whereabouts of network users. 
These and other objects of the present invention are accomplished by a service which requires that 
local users be authenticated before gaining access to personalized sets of network resources. User 
identification information, time restrictions and authorized lists of resources for particular users are 
entered and stored in the network. Prior to authentication, packets from an end system being used 
by a prospective user of network resources are transmitted to an authentication agent operative on 
an intelligent edge with the system. The agent relays log-in responses received from the ftsystem to 
a basic authentication server in the network for verification of the user. Verification is made by 
comparing log-in responses with the user identification information stored in the network and 
determining whether time restrictions associated with the user identification information are 
applicable. If the basic authentication server is able to verify from the log-in response that the user 
is an authorized user of network resources, and that the user is authorized to use the network 
resources at the time of the log-in attempt, the basic authentication server transmits to the agent the 
list of network resources for which the user is authorized, along with any time restrictions. The agent 
forwards the list of authorized network resources and time restrictions for storage and use on the 
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edge device. The edge device uses the authorized list of resources and time restrictions to establish 
network [connectivity] communicabilitv rules for the user. Preferably, the authorized list of network 
resources is a list of one or more VLANs. 

In another aspect of the invention, when an authenticated user logs-off the network, or fails 
to transmit packets for a predetermined time, or if the system being used by the authenticated user 
is disconnected from the network, or if the authorized [connectivity] communicabilitv period 
expires, or if the basic authentication server or other management entity instructs the agent to abolish 
the authenticated user's network [connectivity] communicabilitv , the authenticated user's network 
[connectivity] communicabilitv is deactivated. 

Agent 400 also includes RSR.C RLY means 460. Means 460 serves to forward for storage 
and use on device 10 authorized [connectivity] communicabilitv information received from server 
320 for authenticated users of systems 40, 50, 60. Authorized [conn e ctivity] communicabilitv 
information may advantageously be transmitted by server 320 to agent 400 in the same data packet 
as user status information. Authorized [connectivity] communicabilitv information includes, for the 
particular one of the systems 40, 50, 60, a list of authorized network resources. Authorized 
[connectivity] communicability information may also include time restrictions, if any. Time 
restrictions preferably define times during which the particular user is authorized to use the network 
resources, such as the day of the week, the time of day, and the length of permitted access. The list 
of authorized network resources is preferably a list of VLAN identifiers. Authorized [connectivity] 
communicabilitv information is preferably forwarded by agent 400 to management processor 
module 210 along with the authentication module identifier. Management processor module 210 
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preferably associates the authorized [connectivity] communicabilitv information with a known 
address of the one of the systems 40, 50, 60 being used by the authenticated user and stores the pair 
in device records. The address is preferably a MAC address. 

2. If the destination address is not the address of another one of systems 40, 50, 
60 associated with device 10, resort is made to device records on device 10 
to retrieve the VLAN identifiers associated with the source system. The 
VLAN identifiers are appended to the packet and the packet is [forwarded to] 
f« transmitted by backbone module 220 for transmission on backbone network 

£g 30. When the packet arrives on the edge device (e.g., 1 5) associated with the 

83 

£R destination system (e.g., 45), resort is made to device records on the edge 

P. 

g device to verify that the source and destination systems share a common 

I* VLAN. If a VLAN is shared, the packet is forwarded to the destination 

on 

fy system. If a VLAN is not shared, the packet is dropped. 

O Packets addressed to unauthenticated systems in network 1 continue to be dropped. The 

foregoing rules maybe implemented using various known protocols. [Sec, e.g., Ross U.S. Patent No. 
5,3 9 4,402 and Nai r & Dailey, Application Se r ial No. 08/782,444, which are inco r po r ated he r ein by 
r efe r ence.] It will be appreciated that any addressable core, edge, or end devices, stations and 
systems in network 1 which are not subject to authentication requirements may be treated as 
authenticated systems for purposes of transmitting and receiving packets under the foregoing rules. 

Agent 400 also includes ID TERM means 470. Means 470 serves, upon receipt of log-off 
commands from authenticated users, or upon expiration of the authorized [connectivity] 
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communicabilitv period, or when one of authenticated systems 40, 50, 60 is physically disconnected 
from network 1, or when one of authenticated systems 40, 50, 60 fails to send traffic for a prescribed 
length of time, or upon receipt of instruction from server 320, to deactivate the established network 
[connectivity] communicabilitv . Means 460 forwards to management processor module 2 10 a 
request to remove from device records the address-authorized connectivity information entry for the 
user whose connectivity is to be deactivated. Upon receipt of such a request, management processor 
module 210 preferably removes the entry from device records and the authenticated one of systems 
40, 50, 60 reverts to the unauthenticated state. 

Turning to Fig. 5, a functional diagram of basic authentication server 320 is shown. Server 
320 includes RSRC AUTH means 510. Means 510 serves to enable network administrators to define, 
on an individualized basis, authorized [connectivity] communicabilitv. 

Server 320 also includes ID VER means 530. Means 530 serves to subject to a verification 
process authentication information received from users via agent 400. Means 530, upon receipt of 
authentication information from agent 400, determines if the log-in response matches the user 
identification information associated with a user-specific entry in user records 330. If a match is 
found, and there are time restrictions associated with the user-specific entry, means 530 determines 
from the time restrictions if the user is authorized to use network 1 at the particular time. If the user 
is time-authorized or there are no time restrictions, means 530 generates authorized [connectivity] 
communicabilitv information. Means 530 retrieves the list of authorized network resources 
associated with the matching user identification information in the generation of authorized 
[connectivity] communicabilitv information. Authorized [connectivity] communicabilitv 
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information may also include any time restrictions. Means 530 also generates user status information. 
User status information is information sufficient to communicate to agent 400 whether user 
identification information was successfully verified. User status information is preferably either a 
log-in valid or log-in invalid message. Means 530 transmits authorized [connectivity] 
communicabilitv information and user status information to agent 400. Preferably, authorized 
[connectivity] communicabilitv information and user status information are transmitted as part of 
the same data packet. If no match for user identification information is found, or if the user is not 
time-authorized, means 530 generates and transmits to agent 400 user status information, preferably 
in the form of a log-in invalid message, but does not generate or transmit authorized [connectivity] 
communicabilitv information. Although the above described means operative on server 320 are 
described to be interoperative in conjunction with agent 400, it will be appreciated that the means 
are fully interoperative with other authentication agents residing on edge devices in network 1 . 

Server 320 also includes ID STOR means 540. Means 540 serves to forward for storage and 
use by a network administrator user tracking information. User tracking information is preferably 
retained for all log-in attempts made by prospective users, whether successful or unsuccessful. User 
tracking information may include, for each log-in attempt, any information learned from one or more 
of the following: user identification information, authentication information, user status information, 
authorized [connectivity] communicabilitv information. User tracking information also may include 
the time of day the log-in attempt was made. The time of day may be kept on and obtained from 
server 320. Server 320 preferably associates the user tracking information and stores the information 
as an entry in a network activity database (not shown) that is accessible by or resides on station 20. 
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Network activity database entries are accessible by a network administrator using interface 310. 

Server 320 also includes NET MNTR means 550. Means 550 serves to enable a network 
administrator to access and use user tracking information. Means 550 supplies a textual or graphical 
display to interface 310 operative to display user tracking information. Means 550 also enables a 
network administrator to generate user tracking information reports consisting of related information 
from one or more user tracking information entries. 

Client 360 further includes ED OFF means 640. Means 640 serves to initiate the log-off 
process by which authenticated users log-off the network 1. Means 640 supplies a textual or 
graphical display to user interface 350 operative to accept log-off commands. Means 640 transmits 
log-off commands to agent 400 for deactivation of established network connectivity. 

Referring to Fig. 7, a network 7 operating in accordance with an alternative embodiment of the 
present invention is shown. In the alternative embodiment, an enhanced authentication method is 
conducted before network [connectivity] communicability is granted. 

Server 800 also includes ENH ID VER means 830. Means 830 serves, upon verifying log-in 
responses received from a user and that the user is authorized to use the network 7 at the time of the 
log-in attempt, to initiate an enhanced authentication method, if indicated. Means 830, upon 
determining that the log-in response matches user identification information associated with a 
user-specific entry in user records, and upon determining that the user is time-authorized if time 
restrictions are indicated, checks whether there is an enhanced authentication method associated with 
the matching user-specific entry. If an enhanced authentication method is indicated, means 820, 
before transmitting authorized [connectivity] communicability information and user status 
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information to the agent on the appropriate one of devices 7. 1 0, 7 1 5, transmits a request to enhanced 
authentication server 770 to conduct an enhanced authentication session with the user. The 
enhanced authentication session is preferably conducted between enhanced server 770 and the user 
transparently to basic server 800. Enhanced server 770 instructs basic server 800 of the results of the 
enhanced authentication session. If the user was successfully authenticated, means 830 transmits to 
the agent authorized [connectivity] communicabilitv information and user status information, 
preferably in the form of a log-in valid message. If the user was not successfully authenticated, 
means 830 transmits user status information, preferably a log-in invalid message, but no authorized 
?I [connectivity] communicabilitv information. If an enhanced authentication method is not indicated 
|j? when the check for an enhanced authentication method is performed, means 830 transmits to the 
UJ agent [autho r ized connectivity] authorized communicabilitv information and user status 
information, in the form of a log-in valid message, without engaging server 770. If a matching entry 
3 \ for user identification information is not found in user records, or if the user is not time-authorized, 
p means 830 transmits to the agent user status information, in the form of a log- in invalid message, 
without transmitting authorized communicabilitv information. 

Accordingly, once a determination is made that the user is time-authorized (1005), basic 
server 800 checks whether there is an enhanced authentication method associated with the matching 
entry (1010). If an enhanced authentication method is indicated, server 800 transmits a request to 
enhanced authentication server 770 to conduct an enhanced authentication session with the user 
(1015). Enhanced server 770 informs basic server 800 of the results of the enhanced authentication 
session. If the session was successfully completed (1020), basic server 800 transmits authorized 
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[connectivity] communic ability information and user status information, in the form of a log-in 
valid message, to the agent ( 1 030). If enhanced session was not successfully completed ( 1 025), basic 
server 800 transmits a log-in invalid message to user and does not transmit authorized [connectivity] 
communicabilitv information to agent. Agent also in that instance determines if user has made a 
configurable number of failed log-in attempts. The authentication session either continues or 
terminates as discussed depending on the outcome of that inquiry. If an enhanced authentication 
method is not indicated when the check for an enhanced authentication method is performed (1010), 
server 800 transmits authorized [connectivity] communicabilitv information and user status 



rQ information, in the form of a log-in valid message, without requesting server 770 to conduct an 



enhanced authentication session. 
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